In a computer network environment, access to services is often restricted for security reasons, and a user attempting to access a server has to be authenticated before access can be granted. In many network systems, the user authentication process is based on the password of the user. User authentication prevents a malicious attacker from illegally gaining access to services by pretending to be an authorized user.
The requirement of user authentication for network security, however, can conflict with the need for delegation or appointing a proxy. There are many occasions in which a user intends to have another user or a service perform tasks on her behalf when she is not logged onto the network. For example, a user who will be out of her office for an extended period of time may want another user to access her files during her absence. Access to those files may be restricted for only the first user and requires user authentication based on her password. Due to security concerns, the first user may not want to give her password to the second user. Without her password, however, the second user will not be able to access the files of the first user. If the first user does decide to give her password to the second user, she will be taking the risk that second user may use her password for other unauthorized purposes in or after the supposed duration of the proxy authorization.
As another example, a user may submit a batch job to a batch service and then log off, expecting the batch service to run the batch job in the background without further attention of the user. To run the batch job, it is likely that the batch service will have to access services that the user submitting the batch job is authorized to access. Due to the requirement of user authentication for accessing services, however, the batch service cannot gain-access to those services by simply holding itself out as the batch user.
Existing batch services solve this problem by taking approaches that are not satisfactory. Under one approach, the requirement for user authentication is simply waived. The operating system of the service is told to perform subsequent actions on the batch user's account without requiring authentication from that user. The problem of this approach is that all the computers running the batch jobs must be highly trusted and secure, because they can act as the user without authentication while the batch job is running. An alternative is to modify permissions on the objects that the batch job needs to access. It is, however, difficult to know in advance which objects will be accessed. Furthermore, the user may not have the authority to change the access permissions of the objects, such as when the security of the objects is managed by someone else.
Under another existing approach, the user's password is given to the batch service, which stores the password and uses it to instantiate the batch job. The aspect of requiring the user to give her password to another entity, in this case the batch service, causes serious security concerns. There may be many batch jobs submitted to the batch service by different users, and the batch service will store the passwords of all of those batch users. If an attacker breaks into the batch service, he will find out the passwords of all the batch users. He can then act as any of those batch users and authenticate properly because he knows the password of that user.
Besides the security concerns, this approach may also encounter problems when the user who submitted a batch job changes her password. Many batch jobs are run periodically or continuously for months or even years. During the lifetime of the batch job, it is possible that the user will change her password one or more times. If the user changes her password but forgets to notify the batch service of the new password, the batch service can no longer authenticate itself as the user. As a result, access to the services will be denied and the batch job will fail.
Accordingly, there is a need for a mechanism for one user in a secured network to allow another user or a service to act as her without requiring the first user to divulge her password or other secrets, and preferably such mechanism allows such delegation or proxy to operate for an extended period without being affected by the user's changing her password.